When it comes to testing the security of websites, most testing tools and services perform ethical hacks, throwing a series of calls that might cause buffer overflows, SQL injection, or DNS exploits. But until now, none of these web application security testers have managed to test fully formed web services.
Watchfire Corp is releasing AppScan 6.5, which adds the ability, not just to crawl URLs, but also WSDL web service descriptions. Besides adding the ability to discover WSDL, the new capabilities also include attack libraries designed to exploit the XML.
It complements vulnerability testing that SOA QA tools, such as iTKO, Mindreef, Parasoft, and Solstice Software currently perform during the software development cycle.
By contrast, offerings such as Watchfire AppScan and rivals SpiDynamics and Cenzic focus on web apps which are already online. Watchfire is the first of this group to add web services to the mix.
The challenge is that as web services transform web interactions from relatively contained file transfer or database interactions towards the equivalent of a more dynamic, virtual software application, organizations could find significant chunks of business logic exposed. Logic exposed through WSDL could be vulnerable to the same hazards are regular web applications.
The fact that there’s been no published worms or high-visibility attacks doesn’t mean that web services aren’t vulnerable to attacks, said Mike Weider, founder and CTO.
AppScan 6.5 includes a Web Services Explorer that lets you examine the various methods comprising the Web service, and then manipulate input data and examine feedback from the service. And, because web services are often invoked as machine-to-machine interactions, the tool provides a series of automated SOAP tests.
Version 6.5 also adds compliance with the Payment Card Industry (PCI) Data Security Standard that is now being mandated by Visa and MasterCard.
AppScan 6.5 is available now.